Skip to content

Disable legacy alpn connection upgrade fallback#52534

Merged
greedy52 merged 1 commit intomasterfrom
STeve/52397_disable_alpn_ping_upgrade_header
Feb 28, 2025
Merged

Disable legacy alpn connection upgrade fallback#52534
greedy52 merged 1 commit intomasterfrom
STeve/52397_disable_alpn_ping_upgrade_header

Conversation

@greedy52
Copy link
Copy Markdown
Contributor

@greedy52 greedy52 commented Feb 26, 2025
edited
Loading

related:

changelog: Disable legacy alpn upgrade fallback during TLS routing connection upgrades. Now only WebSocket upgrade headers are sent by default. TELEPORT_TLS_ROUTING_CONN_UPGRADE_MODE=legacy can still be used to force legacy upgrades but it will be deprecated in v18.

Note that this quick change does NOT implement a global setting as requested by #52397 but should allow Teleport to work in environment with stricter Upgrade header rules. Also note that we are not deprecating the legacy mode as it may still be used in certain environments, and the legacy mode has slight performance advantage.

The WebSocket support is aded in v15.1, so the legacy fallback is still needed for v16. Thus this change will only be backported to v17.

Manually tested against AWS ALB. Integration tests also have simulated L7 LB tests.

@greedy52 greedy52 added tls-routing Issues related to TLS routing backport/branch/v17 labels Feb 26, 2025
@greedy52 greedy52 requested a review from smallinsky February 26, 2025 21:57
@greedy52 greedy52 self-assigned this Feb 26, 2025
@github-actions github-actions bot requested review from ravicious and tcsc February 26, 2025 21:57
@greedy52 greedy52 force-pushed the STeve/52397_disable_alpn_ping_upgrade_header branch from 6af389a to d3e8609 Compare February 26, 2025 21:59
r0mant
r0mant reviewed Feb 26, 2025
View reviewed changes
Comment thread api/client/alpn_conn_upgrade.go
@greedy52 greedy52 requested a review from r0mant February 27, 2025 16:23
@greedy52 greedy52 mentioned this pull request Feb 27, 2025
Closed
@greedy52 greedy52 added this pull request to the merge queue Feb 27, 2025
@hugoShaka hugoShaka removed this pull request from the merge queue due to a manual request Feb 27, 2025
@greedy52 greedy52 added this pull request to the merge queue Feb 28, 2025
@greedy52 greedy52 removed this pull request from the merge queue due to a manual request Feb 28, 2025
@greedy52 greedy52 added this pull request to the merge queue Feb 28, 2025
Merged via the queue into master with commit 764f555 Feb 28, 2025
@greedy52 greedy52 deleted the STeve/52397_disable_alpn_ping_upgrade_header branch February 28, 2025 14:32
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot bot commented Feb 28, 2025

@greedy52 See the table below for backport results.

Branch Result
branch/v17 Create PR

@greedy52 greedy52 mentioned this pull request Feb 28, 2025
Merged
This was referenced Feb 28, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@smallinsky smallinsky smallinsky approved these changes

Assignees

@greedy52 greedy52

Labels

backport/branch/v17 size/sm tls-routing Issues related to TLS routing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@greedy52 @r0mant @smallinsky